8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874

Analysis

max time kernel
198s
max time network
264s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe
Size

1.2MB
MD5

c3bada2d2ae1cb6a1b6fee1c579543ff
SHA1

cb0a3175dedca399c6f535af981b82fb33692046
SHA256

8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874
SHA512

283c08bc69e27750e862ad2f5f421846eddda645a97835151c234b11c1b0a6ea0cd8e79c4ac6cb6ba5c483e164862c5a65dec000d3226f35c0b62dbde16a0285
SSDEEP

24576:AvmrDkTShx/S8ngS0UdnreKoctkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKn01:Avyhxq8ndnreKDsvD/DX+y4onCYDoD5

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1888	file.exe
1140	dpvsetup.exe

Loads dropped DLL 8 IoCs

pid	Process
1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe
1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe
1228	cmd.exe
872	cmd.exe
872	cmd.exe
1140	dpvsetup.exe
1140	dpvsetup.exe
1140	dpvsetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ARP.EXE	file.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	file.exe
File created	C:\Windows\SysWOW64\pcaui.exe	file.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe	file.exe
File created	C:\Windows\SysWOW64\hh.exe	file.exe
File created	C:\Windows\SysWOW64\netsh.exe	file.exe
File created	C:\Windows\SysWOW64\com\comrepl.exe	file.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE	file.exe
File created	C:\Windows\SysWOW64\migwiz\PostMig.exe	file.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	file.exe
File created	C:\Windows\SysWOW64\credwiz.exe	file.exe
File created	C:\Windows\SysWOW64\openfiles.exe	file.exe
File created	C:\Windows\SysWOW64\OptionalFeatures.exe	file.exe
File created	C:\Windows\SysWOW64\relog.exe	file.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	file.exe
File created	C:\Windows\SysWOW64\ctfmon.exe	file.exe
File created	C:\Windows\SysWOW64\getmac.exe	file.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe	file.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe	file.exe
File created	C:\Windows\SysWOW64\diskpart.exe	file.exe
File created	C:\Windows\SysWOW64\Dism.exe	file.exe
File created	C:\Windows\SysWOW64\driverquery.exe	file.exe
File created	C:\Windows\SysWOW64\extrac32.exe	file.exe
File created	C:\Windows\SysWOW64\dllhost.exe	file.exe
File created	C:\Windows\SysWOW64\ftp.exe	file.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe	file.exe
File created	C:\Windows\SysWOW64\reg.exe	file.exe
File created	C:\Windows\SysWOW64\regedt32.exe	file.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	file.exe
File created	C:\Windows\SysWOW64\attrib.exe	file.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe	file.exe
File created	C:\Windows\SysWOW64\odbcconf.exe	file.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE	file.exe
File created	C:\Windows\SysWOW64\autochk.exe	file.exe
File created	C:\Windows\SysWOW64\eudcedit.exe	file.exe
File created	C:\Windows\SysWOW64\findstr.exe	file.exe
File created	C:\Windows\SysWOW64\fixmapi.exe	file.exe
File created	C:\Windows\SysWOW64\mshta.exe	file.exe
File created	C:\Windows\SysWOW64\perfmon.exe	file.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe	file.exe
File created	C:\Windows\SysWOW64\migwiz\migwiz.exe	file.exe
File created	C:\Windows\SysWOW64\convert.exe	file.exe
File created	C:\Windows\SysWOW64\cipher.exe	file.exe
File created	C:\Windows\SysWOW64\explorer.exe	file.exe
File created	C:\Windows\SysWOW64\label.exe	file.exe
File created	C:\Windows\SysWOW64\LocationNotifications.exe	file.exe
File created	C:\Windows\SysWOW64\icacls.exe	file.exe
File created	C:\Windows\SysWOW64\msdt.exe	file.exe
File created	C:\Windows\SysWOW64\cmd.exe	file.exe
File created	C:\Windows\SysWOW64\instnm.exe	file.exe
File created	C:\Windows\SysWOW64\gpupdate.exe	file.exe
File created	C:\Windows\SysWOW64\netiougc.exe	file.exe
File created	C:\Windows\SysWOW64\ntprint.exe	file.exe
File created	C:\Windows\SysWOW64\diskraid.exe	file.exe
File created	C:\Windows\SysWOW64\ocsetup.exe	file.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe	file.exe
File created	C:\Windows\SysWOW64\gpresult.exe	file.exe
File created	C:\Windows\SysWOW64\lodctr.exe	file.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe	file.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe	file.exe
File created	C:\Windows\SysWOW64\certreq.exe	file.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	file.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE	file.exe
File created	C:\Windows\SysWOW64\finger.exe	file.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	file.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	file.exe
File created	C:\Program Files\Windows Mail\wab.exe	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	file.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	file.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	file.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	file.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	file.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	file.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	file.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	file.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	file.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	file.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	file.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	file.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	file.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	file.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	file.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	file.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	file.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	file.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	file.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	file.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	file.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	file.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	file.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	file.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	file.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	file.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	file.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe	file.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	file.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe	file.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	file.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	file.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	file.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	file.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	file.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe	file.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	file.exe
File created	C:\Windows\servicing\TrustedInstaller.exe	file.exe
File created	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe	file.exe
File created	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	file.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	file.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe	file.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	file.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe	file.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	file.exe
File created	C:\Windows\ehome\ehtray.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	file.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	file.exe
File created	C:\Windows\ehome\McxTask.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.exe	file.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	file.exe
File created	C:\Windows\ehome\mcspad.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	file.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe	file.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe	file.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	file.exe
File created	C:\Windows\ehome\mcGlidHost.exe	file.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe	file.exe
File created	C:\Windows\servicing\GC64\tzupd.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	file.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	file.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	file.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1228	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	28
PID 1032 wrote to memory of 1228	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	28
PID 1032 wrote to memory of 1228	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	28
PID 1032 wrote to memory of 1228	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	28
PID 1032 wrote to memory of 872	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	29
PID 1032 wrote to memory of 872	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	29
PID 1032 wrote to memory of 872	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	29
PID 1032 wrote to memory of 872	1032	8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe	29
PID 872 wrote to memory of 1888	872	cmd.exe	33
PID 872 wrote to memory of 1888	872	cmd.exe	33
PID 872 wrote to memory of 1888	872	cmd.exe	33
PID 872 wrote to memory of 1888	872	cmd.exe	33
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32
PID 1228 wrote to memory of 1140	1228	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe
"C:\Users\Admin\AppData\Local\Temp\8138cca4d65de2d85c6fdebc65009c8104a0da942387baf2ef0c3b1315a1f874.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\dpvsetup.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\dpvsetup.exe
    C:\Users\Admin\AppData\Local\Temp\\dpvsetup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\file.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    C:\Users\Admin\AppData\Local\Temp\\file.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
600KB

MD5
7c621d0aed5235ca3d78762aded7eed5

SHA1
0b8c5cd23f592a8ff02e0473caa81b6e672e4769

SHA256
adb59f8e5ddf551c3fc3f45ebfba516d9caa3dc7bd9ca3c6a07aa3453e6bf0b3

SHA512
4a625db6c29d814ddc072255f9af063d408ee8f4629951a15842c633f31259706d06364ad50deb1e18c59ed099bfe24a69dd300aaada0ed7e0f16596001e8065

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
600KB

MD5
7c621d0aed5235ca3d78762aded7eed5

SHA1
0b8c5cd23f592a8ff02e0473caa81b6e672e4769

SHA256
adb59f8e5ddf551c3fc3f45ebfba516d9caa3dc7bd9ca3c6a07aa3453e6bf0b3

SHA512
4a625db6c29d814ddc072255f9af063d408ee8f4629951a15842c633f31259706d06364ad50deb1e18c59ed099bfe24a69dd300aaada0ed7e0f16596001e8065

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
\Users\Admin\AppData\Local\Temp\dpvsetup.exe

Filesize
81KB

MD5
ea36b806e30d927f70e24eaf545ccc17

SHA1
92ab07441979c65ddcde4e1d9a96c7cb20c756a0

SHA256
626dd52e7727113b0d25ba73d1743edbdd7ea57c1fc31b678b22b1587a3e0eb1

SHA512
9c118d72af3d1c77b11bab80c3ca6e730313bd29fb8eab90dffacfb22ab11598f8f976abe8e3710597ed55fd957dc03cfdc9d26070421d7deb9195a5ad80204a

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
600KB

MD5
7c621d0aed5235ca3d78762aded7eed5

SHA1
0b8c5cd23f592a8ff02e0473caa81b6e672e4769

SHA256
adb59f8e5ddf551c3fc3f45ebfba516d9caa3dc7bd9ca3c6a07aa3453e6bf0b3

SHA512
4a625db6c29d814ddc072255f9af063d408ee8f4629951a15842c633f31259706d06364ad50deb1e18c59ed099bfe24a69dd300aaada0ed7e0f16596001e8065

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
600KB

MD5
7c621d0aed5235ca3d78762aded7eed5

SHA1
0b8c5cd23f592a8ff02e0473caa81b6e672e4769

SHA256
adb59f8e5ddf551c3fc3f45ebfba516d9caa3dc7bd9ca3c6a07aa3453e6bf0b3

SHA512
4a625db6c29d814ddc072255f9af063d408ee8f4629951a15842c633f31259706d06364ad50deb1e18c59ed099bfe24a69dd300aaada0ed7e0f16596001e8065

Download Submit
memory/1032-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1032-58-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1032-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1032-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download